]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/prometheus/templates/default/apache.erb
Restrict fail2ban to evasive blocks instead of all 403 errors
[chef.git] / cookbooks / prometheus / templates / default / apache.erb
index 00760ed436659ccba6466d2d0a53ab1b7ee1ef20..af005314002b5ba7a96bc934850241f2ebb0c973 100644 (file)
@@ -5,7 +5,7 @@
        ServerAlias prometheus.osm.org
        ServerAdmin webmaster@openstreetmap.org
 
        ServerAlias prometheus.osm.org
        ServerAdmin webmaster@openstreetmap.org
 
-       CustomLog /var/log/apache2/prometheus.openstreetmap.org-access.log combined
+       CustomLog /var/log/apache2/prometheus.openstreetmap.org-access.log combined_extended
        ErrorLog /var/log/apache2/prometheus.openstreetmap.org-error.log
 
        RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
        ErrorLog /var/log/apache2/prometheus.openstreetmap.org-error.log
 
        RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
@@ -16,7 +16,7 @@
        ServerName prometheus.openstreetmap.org
        ServerAdmin webmaster@openstreetmap.org
 
        ServerName prometheus.openstreetmap.org
        ServerAdmin webmaster@openstreetmap.org
 
-       CustomLog /var/log/apache2/prometheus.openstreetmap.org-access.log combined
+       CustomLog /var/log/apache2/prometheus.openstreetmap.org-access.log combined_extended
        ErrorLog /var/log/apache2/prometheus.openstreetmap.org-error.log
 
        SSLEngine on
        ErrorLog /var/log/apache2/prometheus.openstreetmap.org-error.log
 
        SSLEngine on
        SSLCertificateKeyFile /etc/ssl/private/prometheus.openstreetmap.org.key
 
        ProxyPass /prometheus http://localhost:9090/prometheus
        SSLCertificateKeyFile /etc/ssl/private/prometheus.openstreetmap.org.key
 
        ProxyPass /prometheus http://localhost:9090/prometheus
-       Redirect 403 /alertmanager/api
        ProxyPass /alertmanager http://localhost:9093/alertmanager
        ProxyPass /alertmanager http://localhost:9093/alertmanager
+       ProxyPass /karma http://localhost:8081/karma
+       ProxyPass /api/live/ws ws://localhost:3000/api/live/ws
        ProxyPass / http://localhost:3000/
        ProxyPreserveHost on
        ProxyPass / http://localhost:3000/
        ProxyPreserveHost on
+
+       <Location /prometheus/api/v1/admin>
+               Require all denied
+       </Location>
+
+       <Location /alertmanager>
+<% @admin_hosts.each do |host| -%>
+               Require ip <%= host %>
+<% end -%>
+       </Location>
+
+       <Location /karma>
+<% @admin_hosts.each do |host| -%>
+               Require ip <%= host %>
+<% end -%>
+       </Location>
 </VirtualHost>
 </VirtualHost>